After this recent group of site hacks to some of the popular design blogs, it is time to think about our own website's security. Most of the sites that were targeted were pretty popular but it is still important to take what precautions we can.
CSS-Tricks.com, one of the sites that was hacked has a lot of information on the subject here. From what I’ve read, these 12 blogs were transfered or attempted, from their existing registrar to a new registrar where they are being held for random. It looks like the hacker was able to get the email password and registrar password of the site owners. Which essentially allowed the hacker to login and move the domains without any trouble.
There is a ton of criticism in the comments (about Godaddy mainly) but really the blame should be on the site owners. Your email password is the most important password you have, and if it gets compromised, so many of your other secure logins can be jeopardized. And yes the customer service at GoDaddy can be pretty awful, but you get what you pay for. Godaddy has done nothing wrong in this case, except not pursuing a resolution faster.
It looks like these were not random hacks but targeted as these specific design blogs. So I wouldn’t say we all need to be nervous about this happening to us, but this would be a good time to go over our own online security.
Securing Your Websites and Online Identity
Start with your passwords. If you are still using the same password for all of your logins, it is time to stop. Also, if you are not using highly randomized passwords with lowercase and uppercase letters, numbers and symbols, you really should be doing so. Never save your password in the browser.
You should be using: Lastpass or 1Password. These services store all of your passwords for you and allows you to access them by entering your one “master” password. Doing this allows you to make some really randomized passwords that you won’t have to remember or keep track of like 3#[email protected]
Personal Computer Security
If your personal computer doesn’t require a password to login you should set one up at the very least. Turn on your firewall. Don’t work under an admin account, set up a user for yourself.
For Mac, which happens to be the operating system all of the above people were using, here are some resources.
Backup, Backup, Backup
No matter how many precautions you take or how secure you are, chances are that if someone wants your information bad enough, they will find a way to get it. Have built in cloud-based, backups running regularly so if you do get hacked, you can quickly restore without losing a lot of data. Also, it doesn’t hurt to do additional backups of your SQL databases and websites and store them on a physical drive with you. External drives are super cheap these days.
If you are using a CMS there is probably a backup add-on you can install.If not, you can use CRON to set up your backups.
Here is a nice roundup of backup methods on Noupe.com
Your Hosting Provider
Just like with cheap Registrars, cheap hosts can put you in harms way. Find a host that has a proven security record. The host I use is Enginehosting. Many hosts provide backups of your websites and databases. Take advantage of these services but I recommend still doing your own backups. You can never be too safe with your data.
You should be using TimeMachine to backup your computer daily. Also, using a service like Dropbox, or something equivalent is highly recommended.
Choosing a Registrar
When choosing a registrar you get what you pay for. Cheap ones like GoDaddy and 1and1 are secure and can safely be used for smaller websites. But if you have a domain that you absolutely cannot lose, you should look into a better Registrar.
If you really need your domain to be secure, you will want to set it up so that it requires phone verification, and a verification password verbally given to the registrar, to make any changes to your account. Of course this is overkill for 90% of domains, but if you are worried about it, these kinds of registrars are around.
The reason these sites where able to be moved was because the hacker had both their email and registrar passwords. To help secure your email if you use Gmail, set up 2 Step Verification. Essentially it requires that you enter your password and if you are logging in from an new location, that you also enter a password, that is sent via text message to your phone. It only takes a few minutes to set up and is easy to use. Make sure to do it.
There is no foolproof way of being totally secure, but if you use good practices and backup regularly, you can reduce the chances of your information being compromised, and if it does happen, you can reduce the damage.